topic Re: Tag Unused Rules in General Topics

Tag Unused Rules

nicford — Wed, 03 Jan 2018 19:26:26 GMT

How to tag all unused security policies. I'm faimilar with the "highlight unused" and > show running rule-use rule-base security type unused vsys vsys1 command.

Is there a way I can then easily tag all my rules used say older than 90 days?

Re: Tag Unused Rules

OtakarKlier — Wed, 03 Jan 2018 19:34:33 GMT

Hello,

The 'Highlight Unused Rules' are rules that have not been hit since the last reboot. There is really not an easy way from the GUI to select multiple rules and add the tags you want. Unless you have a lot of them, I just do them one by one.

One way would be to create the tag and then export the config xml, modifyi it to add your tags then upload it back into the PAN. I'm sure there are other ways, so other can comment with other ideas.

Regards,

Re: Tag Unused Rules

nicford — Wed, 03 Jan 2018 19:42:12 GMT

Unfortunately we have over 100 firewalls and probably 100s if not over 1000 unused rules. So something automated would be extremely helpful.

Re: Tag Unused Rules

OtakarKlier — Wed, 03 Jan 2018 20:01:55 GMT

Ah, in this case something like Ansible or Device Framework might help? I havent used either but they look promising. I would also reach out to your SE and see what their thoughts are.

https://live.paloaltonetworks.com/t5/Automation-API/ct-p/automation

Just some thoughts! Let us know how it goes.

Cheers!

Re: Tag Unused Rules

BPry — Wed, 03 Jan 2018 22:12:50 GMT

@nicford,

While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices.

Re: Tag Unused Rules

sandeep.paul — Fri, 05 Jan 2018 15:49:56 GMT

from netmiko import ConnectHandler
import re
import time

with open('C:\\Users\\xxxxxxx\\Desktop\\test.txt') as f:
    x = []
    for line in f:
        x.append(line.strip())

def escape_ansi(line):
    ansi_escape = re.compile(r'(\x9B|\x1B\[)[0-?]*[ -/]*[@-~]')
    return ansi_escape.sub('', line)

devicelist=""
for i in x:
    try:
       firewall = ConnectHandler(device_type='paloalto_panos_ssh', ip=i, username='xxxxxxx', password='xxxxxxx')
       print('\n>>>>>>>>> Unused Policies of' + ' ' + i + ' <<<<<<<<<<<')
       time.sleep(10)
       hostname = firewall.send_command_timing(" show system info | match hostname", delay_factor=2)
       print (hostname)
       output= firewall.send_command(" show running rule-use rule-base security type unused vsys vsys1 ")
       time.sleep(20)
       output= escape_ansi(output)
       print (output.strip())
       firewall.disconnect()
       print('\n>>>>>>>>> Logged out of Device' + ' ' + i + ' <<<<<<<<<<<')
    except:
       print ('\nUnable to login to PAN'+' '+i)
       devicelist=devicelist+ i +"\n"
print ('\nFirewalls which needs to be checked  \n' +'' +devicelist)

Here is python script to get all the unused rules, I have implemented this today in my 50 firewall setup.

Please reach out if any queries.

Re: Tag Unused Rules

nicford — Fri, 05 Jan 2018 23:36:05 GMT

thanks for the script! but reviewing it (forgive me if I'm wrong), this just prints all the unused rules. My main goals would be to print the rules, then tag them. My next step would be locate this tag, disable rules. Finally, delete all disabled rules.

Re: Tag Unused Rules

jvalentine — Sat, 06 Jan 2018 00:16:28 GMT

I believe you could do this with pan-configurator:

- https://live.paloaltonetworks.com/t5/API-Articles/PAN-Configurator-scripting-library-and-utilities/ta-p/52163/jump-to/first-unread-message

- https://github.com/cpainchaud/pan-configurator

Clean unused rules even when you don't have logs over X months/years ( gets the list from cli 'show rulebase security type unused'):

run once : php rules-edit.php in=api://xxx actions=tag-add:Unused 'filter=(rule is.unused.fast)'

run every month: php rules-edit.php in=api://xxx actions=tag-remove:Unused 'filter=!(rule is.unused.fast) and (tag has Unused)' then after a few months, delete unused rules: php rules-edit.php in=api://xxxx actions=delete 'filter=(tag has Unused)'

You'd just be adding an intermediary step of disabling rules with the tag first, and then delete later.

https://live.paloaltonetworks.com/t5/API-Articles/rules-edit-php-to-manage-edit-export-rules-from-CLI/ta-p/53321

Re: Tag Unused Rules

sandeep.paul — Sat, 06 Jan 2018 01:54:23 GMT

Hey, yes I am working on the script to tag the sec policies, the script was basically to know the policies which needs attention on all firewalls ( in less than 15 mins).

Re: Tag Unused Rules

Brandon_Wertz — Mon, 08 Jan 2018 18:35:24 GMT

@BPry wrote:
@nicford,
While automation is nice I think you are past the point of it really working the best for you to be honest. I would look at something like FireMon that can do this through a centralized basis and does it very well. Regardless this is going to take a while to clean up effectively on that many devices.

Without a doubt I'll second this. If you've got "100s" of firewalls FireMon should be a "cost of doing business." It's beyond easy to use and will make your life so much easier as a firewall admin

Re: Tag Unused Rules

nicford — Thu, 11 Jan 2018 16:21:49 GMT

thanks for everyone feedback! I'll defintiely look into Firemon and also some scripts some of you have shared.